Setup Citrix Access Gateway Enterprise Edition (NetScaler) for use of multiple authentication methods.

(1)

Nordic Edge One Time Password (OTP Server) has a comprehensive RADIUS support, including support for multiple authentication methods. This means that the end user can choose authentication method: SMS, the software token Pledge or OATH-compliant tokens.

This step by step guide explains how you set up the Citrix Access Gateway Enterprise Edition (NetScaler) and the Nordic Edge OTP Server with multiple authentication methods. In this example, we are going to set up two methods, SMS and Pledge.

1 Prerequisites

2 Multiple authentication methods 3 Configuring Citrix NetScaler

3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler

3.2 Update Citrix NetScaler startup script

3.3 Add multiple authentication methods to NetScaler configuration Restart Citrix NetScaler

4 Configure the One Time Password Server for use of multiple authentication methods. 4.1 Create databases for Citrix Authentication Methods

4.2 Configure OTP Server Clients for your authentication methods Create OTP Server client for SMS authentication

Create OTP Server Client for Pledge authentication Restart OTP Server

Test authentication with multiple authentication methods 5 Technical questions

(2)

1 Prerequisites

The guide begins with instructions for setting up the Citrix NetScaler and OTP Server with Pledge: - http://support.nordicedge.se/step-by-step-guide-to-implement-pledge-enrollment-to-otpserver-3

- http://support.nordicedge.se/step-by-step-guide-to-implement-sms-authentication-to-citrix-access-gateway-enterprise-edition

You need to have the following installed before you begin:

● OTP Server

● Citrix NetScaler and XenServer

Start the OTP Configurator and verify the setup below:

1. Databases - MS Active Directory; The OTP Database points to a LDAP directory with user objects and mobile numbers.

2. Clients - My SSL-VPN Server; The OTP Client for Citrix NetScaler points to the MS Active Directory Database.

3. Delivery Methods: Nordic Edge SMS service needs to be enabled to send text messages with one-time passwords.

(3)

2 Multiple authentication methods

Citrix NetScaler and OTP Server integrate via RADIUS protocol. For multiple authentication methods, Citrix NetScaler sends which method the end user requires via RADIUS attribute to the OTP Server. This RADIUS attribute is called NAS ID in Citrix NetScaler and uses RADIUS attribute number 32.

3 Configuring Citrix NetScaler

These are the main steps that need to be performed to configure Citrix NetScaler: 1. Add multiple authentication function in the login page.

2. Adjust startup script to use new login page.

3. Add authentication methods to NetScaler configuration.

3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler

(4)

Changes will be made to the following files: /netscaler/ns_gui/vpn/index.html

/nsconfig/rc.netscaler

NOTE: Backup these files before continuing.

- Add the configuration below to /netscaler/ns_gui/vpn/index.html. See this example index.html for instructions on where to place this configuration.

<script type="text/javascript">

function getCookie(name) { // use: getCookie("name"); var re = new RegExp(name + "=([^;]+)");

var value = re.exec(document.cookie);

return (value != null) ? unescape(value[1]) : null; }

var today = new Date();

var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // plus 28 days var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours

function setCookie(name, value) { // use: setCookie("name", value);

document.cookie=name + "=" + escape(value) + "; path=/; expires=" + expiry.toGMTString(); } function storeValues(form) { setCookie("logonmethod", form.logonmethod.value); return true; } </script>

<FORM method="post" action="/cgi/login" name="vpnForm" autocomplete="off" style="margin:0" onSubmit="return storeValues(this);

clean_name_cookie();">

<TR><TD

align=center><SPAN class="CTXMSAM_LogonFont" style="padding-right:10px;">Logon method:</SPAN></TD> <TD><select name="logonmethod" size="1" style="width: 100px;">

document.write("value=\""+ MyLogonMethods[i] + "\">" + MyLogonMethods[i] + "</option>");

} </script>

</select></TD></TR>

(5)

3.2 Update Citrix NetScaler startup script

Add "cp /var/vpn/vpn/index.html /netscaler/ns_gui/vpn/index.html" to /nsconfig/rc.netscaler

Example

3.3 Add multiple authentication methods to NetScaler configuration

In this step we will configure the Citrix NetScaler Authentication Server with policies corresponding to SMS and Pledge. This configuration will then be associated with the NetScaler Virtual Server.

Information about authentication methods will be sent via a RADIUS attribute.

- Browse to the Citrix NetScaler configuration. Example: https://192.168.0.94 - Add Authentication Server.

- Expand Access Gateway, then Policies, click on Authentication. - Click on Servers-tab and click on the Add-button.

(6)

- Type "SMS" as the name of the Authentication Server. - Choose RADIUS as Authentication Type.

- Type the IP adress to the OTP Server. - Change the Time-out to 25.

- Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID.

(7)

Create one more Authentication Server for Pledge (Reuse the window or click the add-button again). - Type "Pledge" as the name of the Authentication Server.

- Choose RADIUS as Authentication Type - Type the IP adress to the OTP Server. - Change the Time-out to 25.

- Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID.

(8)

Add Authentication Policy

- Click on the Policies tab and click on Add-button. - Type "SMS Server" as the name.

- Select RADIUS as Authentication Type. - Select SMS as Server.

(9)

- Select HEADER as Qualifier. - Select CONTAINS as Operator. - Type "SMS" as Value.

- Type "Cookie" as Header Name.

(10)

- Create another Authentication Policy for Pledge. (Reuse the window or click the add-button again). - Enter Pledge Server as name.

- Select RADIUS Authentication Type. - Select Server Pledge.

(11)

- Change to Operator to CONTAINS. - Type "Pledge" as Value.

- Click on OK.

(12)

Connect Authentication Policy to your Citrix Virtual Server

- Click on Access Gateway, then on Virtual Servers. Select the Virtual Server, in this guide called vs1. - Click on Open.

(13)

- Click on the Authentication tab. - Click on Insert Policy.

(14)

- Select SMS Server.

- Repeat this step and select Pledge Server.

(15)

(16)

Restart Citrix NetScaler

(17)

(18)

4 Configure the One Time Password Server for use of multiple

authentication methods.

In this step we will configure OTP Clients and OTP Databases that correspond to the authentication methods used by Citrix NetScaler.

1. Create OTP Databases for SMS and Pledge authentication.

2. Create OTP Clients with Client Name for SMS and Pledge authentication.

Start the One Time Password Server Configurator

4.1 Create databases for Citrix Authentication Methods

(19)

In this example we will rename the OTP Database to clarify its use for authentication with one-time passwords via SMS.

(20)

- Create a new OTP Database for Pledge authentication by right clicking on the database called SMS AD in the left pane. Choose Duplicate Database.

(21)

- Type Pledge AD as Database Display Name. - Select Use HOTP or TOTP (OATH).

- Change OTP Attribute to the attribute used for Pledge OATH keys. In this guide we use the carLicense attribute.

NOTE:

The administrator account used for this database (Admin DN) requires modification rights for the attribute carLicense on all user objects in the LDAP directory to be able to update the counter for the Pledge OATH-key.

(22)

(23)

4.2 Configure OTP Server Clients for your authentication methods

The Nordic Edge OTP Server Client supports RADIUS attribute detection. This means that the OTP Server can detect additional information sent by Citrix NetScaler. In this case, Citrix NetScaler sends extra attribute information regarding which authentication method the end user wants to authenticate with.

Create OTP Server client for SMS authentication

This client will be used by Citrix NetScaler for authentication with SMS.

- Expand Clients and click on the "My SSL-VPN Server" client. This was created with the Step by step guide to implement SMS authentication to Citrix Access Gateway™ Enterprise Edition

- Change the Client Display name to NetScaler SMS. - Click on the Advanced-button.

(24)

- Set RADIUS attribute number to 32 - Type SMS as RADIUS attribute value

INFO:

RADIUS attribute number and value corresponds to the NAS ID setting in Citrix NetScaler Authentication Server.

(25)

(26)

Create OTP Server Client for Pledge authentication

This client will be used by Citrix NetScaler for authentication with Pledge.

- Select the NetScaler SMS Client and right click. Click on Duplicate Client.

- Change the Client Display name to NetScaler Pledge. - Click on the Advanced-button.

(27)

- Change RADIUS attribute value to Pledge - Click on OK

(28)

- Select SMS AD database as the User Database - Click on Save

(29)

Restart OTP Server

(30)

- Start your OTP Server service again.

(31)

Test authentication with multiple authentication methods

End users can now chose between different authentication methods on the Citrix NetScaler login page. Browse to the NetScaler URL. Select the required authentication method, in this case SMS and Pledge. Then type your username and password.

(32)